RGW Bucket Policy

Bucket Policy 开启S3数据分享这扇大门。该配置通过S3接口设置到Bucket上,使bucket可对某些用户开放一些访问权限;或拒绝某些用户的一些访问权限。

环境

  • Ceph集群版本mimic
  • RGW版本nautilus
  • 一个Realm中一个master zonegroup
  • master zonegroup中包含两个zone,exter(master zone)和backup
  • master zongrroup中包含两个placement,default-placement 和 cold-placement
    default-placement 将数据存储于 exter.rgw.buckets.{data, index, non-ec}
    cold-placement 将数据存储于 exter.rgw.cold.{data, index, non-ec}
  • zone exter中创建了4个用户分别属于ours tenant和 默认tenant
    默认tenant包括用户,colder 和 admin
    ours tenant包括用户,ourone 和 ourtwo
  • colder 用户使用的 cold-placement,其它用户均使用default-placement

使用

Policy 配置Json Example:

1
2
3
4
5
6
7
8
9
10
11
12
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": ["*"]},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-cold-bucket",
"arn:aws:s3:::my-cold-bucket/*"
]
}]
}

配置说明:

  1. Version可以选择2008-10-17或者2012-10-17 AWS就是这样的,没道理讲的。
  2. EffectAllowDeny两个选项
  3. Principal操作主体。eg: “arn:aws:iam:::user/“ 该示例有待验证。
  4. ActionAllowDeny得动作
  5. Resource被操作得对象
  6. Condition使用条件

更多配置得内容参见ceph源码src/rgw/rgw_iam_policy_keywords.gperf

测试

目的

调研同tenant访问配置使用方法和跨tenant访问配置使用方法

测试方法

用户ours$ourone创建一个叫ouronebucket的bucket,并配置其policy

1
2
3
4
5
6
7
8
9
10
11
12
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": ["arn:aws:iam::ours:user/ourtwo", "arn:aws:iam:::user/admin"]},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::ouronebucket",
"arn:aws:s3:::ouronebucket/*"
]
}]
}

使用s3cmd工具将policy写入bucket

1
s3cmd setpolicy policy.json s3://ouronebucket

用户colder创建一个叫my-cold-bucket的bucket,并配置其policy

1
2
3
4
5
6
7
8
9
10
11
12
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": ["*"]},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-cold-bucket",
"arn:aws:s3:::my-cold-bucket/*"
]
}]
}

使用s3cmd工具将policy写入bucket

1
s3cmd setpolicy policy.json s3://my-cold-bucket

使用admin用户访问my-cold-bucket

1
2
3
$ s3cmd -c ./admin.cfg ls s3://my-cold-bucket
2019-10-17 09:06 207 s3://my-cold-bucket/admin.cfg
2019-10-16 08:40 8478720 s3://my-cold-bucket/tgt.tar

同tenant内正常访问

使用admin用户访问ouronebucket

1
2
3
4
5
$ s3cmd -c ./admin.cfg ls s3://ouronebucket
ERROR: Bucket 'ouronebucket' does not exist
ERROR: S3 error: 404 (NoSuchBucket)
$ s3cmd -c ./admin.cfg ls s3://ours:ouronebucket 12 ↵
ERROR: S3 error: 403 (SignatureDoesNotMatch)

使用ourtwo用户访问my-cold-bucket

1
2
3
4
5
$ s3cmd -c ./ours_two.cfg ls s3://my-cold-bucket                                                                                                     77 ↵
ERROR: Bucket 'my-cold-bucket' does not exist
ERROR: S3 error: 404 (NoSuchBucket)
$ s3cmd -c ./ours_two.cfg ls s3://:my-cold-bucket 12 ↵
ERROR: S3 error: 403 (SignatureDoesNotMatch)

使用ourtwo用户访问ouronebucket

1
2
3
4
5
$ s3cmd -c ./ours_two.cfg ls s3://ouronebucket                                                                                                       77 ↵
ERROR: Access to bucket 'ouronebucket' was denied
ERROR: S3 error: 403 (AccessDenied)
$ s3cmd -c ./ours_two.cfg ls s3://ours:ouronebucket 77 ↵
ERROR: S3 error: 403 (SignatureDoesNotMatch)

修改
ouronebucket的policy中的Principal改为{"AWS": ["*"]},。再试一次

1
2
3
4
5
6
$ s3cmd -c ./ours_two.cfg put ./ours_two.cfg s3://ouronebucket
WARNING: Module python-magic is not available. Guessing MIME types based on file extensions.
upload: './ours_two.cfg' -> 's3://ouronebucket/ours_two.cfg' [1 of 1]
207 of 207 100% in 0s 356.83 B/s done
$ s3cmd -c ./ours_two.cfg ls s3://ouronebucket
2019-10-17 12:01 207 s3://ouronebucket/ours_two.cfg

在网上看到“Rgw bucket policy权限设置”这篇文章,里面提到boto3对tenant不支持,于是猜想是不是s3cmd也不支持tenant,遂自己写一个python验证一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
#!/usr/bin/env python
# encoding: utf-8

import boto
import boto.s3.connection

access_list = ["1CXO01UCDSR1182IUYPL","8I4K2USDV5SK3UFLQUB0"]
secret_list = ["Ww0Io3b6fF7dXHQiO9gLo99DZbZAKqfvNO2N7g48","A4JuvB468tmnDpmkZMfwesb2zmGZeSiCJlzJMALc"]
bucket_list = [":my-cold-bucket","ours:ouronebucket"]

for i in range(0,len(access_list)):
access = access_list[i]
secret = secret_list[i]
bucket = bucket_list[i]
conn = boto.connect_s3(aws_access_key_id=access,
aws_secret_access_key = secret,
host='172.30.12.137',
port=7480,
is_secure=False,
calling_format = boto.s3.connection.OrdinaryCallingFormat())
bkt = conn.get_bucket(bucket)
print(bkt.get_all_keys())

执行下

1
2
3
# python bkt-policy.py
[<Key: :my-cold-bucket,admin.cfg>, <Key: :my-cold-bucket,tgt.tar>]
[<Key: ours:ouronebucket,ours_two.cfg>]

发现跨tenant可以正常访问。

修改ouronebucket policy 中的Principal{"AWS": ["arn:aws:iam::ours:user/two","arn:aws:iam:::user/admin"]},只允许ours$twoadmin这两个用户访问。
再次执行上面的python脚本

1
2
3
# python bkt-policy.py
[<Key: :my-cold-bucket,admin.cfg>, <Key: :my-cold-bucket,tgt.tar>]
[<Key: ours:ouronebucket,ours_two.cfg>]

再在上面的脚本中增加colder的access、secret key。并执行脚本

1
2
3
4
5
6
7
8
9
10
11
# python bkt-policy.py
[<Key: :my-cold-bucket,admin.cfg>, <Key: :my-cold-bucket,tgt.tar>]
[<Key: ours:ouronebucket,ours_two.cfg>]
Traceback (most recent call last):
File "bkt-policy.py", line 22, in <module>
bkt = conn.get_bucket(bucket)
File "/usr/local/lib/python2.7/site-packages/boto/s3/connection.py", line 509, in get_bucket
return self.head_bucket(bucket_name, headers=headers)
File "/usr/local/lib/python2.7/site-packages/boto/s3/connection.py", line 542, in head_bucket
raise err
boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden

由于Principal中没有给colder用户授权,所以colder访问ouronebucket时报403错误。

参考&鸣谢